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A _ message from the Minister ... 


Every aspect of Ontario’s health system relies on good information — whether that’s a 
doctor prescribing the best treatment, a researcher searching for new cures, a community 
nurse working with a young family, or a health manager deciding how to address the most 
pressing health issues. As individuals, we also want good information about our own health 
from our doctors, nurses, pharmacists, and anyone involved in the health system. 


At the same time, perhaps no information about individuals is more sensitive than their 
personal health information. That’s why we need clear rules in place — rules that tell people 
how their personal health information will be protected, and rules that tell people in the 
health system what steps they need to take to make sure information is used appropriately 
and only under the right circumstances. 


In these days of increasing use of technology, essential information can be shared quickly 
and used effectively, to support flexible, responsive and innovative health service delivery. 
At the same time, strict rules will be necessary to safeguard personal health information. — 


For the past four years, our government has worked with a wide range of Ontarians to 
develop comprehensive legislation. We conducted two extensive rounds of consultation, 
sending out over 5,000 consultation documents and received over 300 written submissions. 
In addition, we undertook regional meetings around Ontario. We would like to thank the 
many organizations and individuals who shared their views and helped shape the work done 
to date. 


Work on personal health information privacy legislation for the health sector is an integral 
part of our government’s overall commitment to set clear and consistent rules for the 
collection, use, and disclosure of personal information. To address growing concerns about 
privacy, consultations are underway to lay the groundwork for an Ontario Privacy Act. It 
will set out our government’s overall approach to the protection of individuals’ privacy and 
the rules for how personal information is used in our province. Personal health information 
privacy legislation will be an essential component of our government’s overall approach. 


We’re now in the final stages of preparing the proposed personal health information privacy 
legislation. We need your advice before it is introduced. This consultation paper outlines 
the proposed health sector privacy rules, including some specific questions, for you to 
consider. 


We appreciate very much your participation and look forward to taking the next major step 
— introducing comprehensive legislated personal health information privacy rules for the 
health sector. 
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Why are legislated personal health 
information privacy rules necessary? 


The goal of the legislation is to strike the right balance — to ensure that the right health 
information is available to the right people at the right time, and to provide assurance to 
individuals that the privacy of their personal health information will be respected. 


What are the key reasons for legislated health sector privacy rules? 
v There is a lack of consistent rules covering what information can be collected and how 
that information can be used and disclosed. The proposed health sector privacy rules 
would identify health information custodians and would ensure that clear rules are in 
place for those who collect, use and disclose personal health information. 


v Currently, there are some rules in place regarding individuals’ access to their own 
personal health records. However, the rules often apply only in particular settings, and 
they operate in a patchwork fashion. The proposed rules, if enacted, would provide 
needed consistency and apply across the whole health sector. Individuals will have a 
right of access to their own health records, with very limited exceptions. 


Y Existing laws that deal with health information apply in some health care settings and 
not others, and these laws are inconsistent or non-existent. Most laws deal with health 
records and not the information. In addition, there are few laws governing collection 
and use of health information. The proposed health sector rules will give individuals 
greater control over how their information is collected and used. 


¥ With the increasing use of technology, personal health information could be quickly 
collected and quickly shared across the health system. The result is that timely and 
accurate information could be readily available to guide decisions in health — decisions 
about everything from choosing the best treatment for a patient, prescribing a new drug, 
or assessing whether a particular health program is producing positive outcomes we 
want and expect. At the same time, along with the benefits of technology, we need to 
address the risks. And that means having rules in place to protect personal health 
information from unauthorized use and disclosure. 


Y The Ontario government is taking a comprehensive approach to protecting individuals’ 
privacy and increasing their ability to control whether and how information about them 
is collected, used and disclosed. Separate rules are necessary to address the unique 
circumstances in the health system. Legislated rules for health information in the health 
sector must strike the right balance between protecting privacy and making sure that 
health information can be used carefully and appropriately to improve care. 
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Y Across Canada and around the world, governments are taking steps to establish 
comprehensive laws for personal health information, setting rules for its collection, use 
and disclosure. It is important for Ontario to have its own legislation in place. 


What is the purpose of the health sector privacy rules? 


Beginning with the Ministry’s 1996 consultation paper, the goals for the legal framework 
for health information have been: 


Y protecting the privacy, confidentiality and security of health information; 


Y facilitating the use and disclosure of health information for the improvement of health 
care, ensuring continuity of patient care, and the management of health resources; 


Y striking a balance between the individual and public interests; and 


v strengthening the rights of each Ontarian to access their health information when they 
need it. 


These goals are reflected in the proposed personal health information privacy legislation. 
How would the proposed legislation help to improve the health system? 


¥ The proposed legislation would provide consistent rules for collection, use and 
disclosure of health information across the health system, so that information can be 
shared as necessary for continuity of care, with assurance that the information will have 
the same protection wherever it moves. 


¥ Duplication of health services can be avoided with improved ability to share 
information, which in turn decreases risk to patients and reduces costs to the health 
system. 


¥ The Ministry of Health and Long-Term Care and its partners in the health system are 
striving to promote wellness and improve health outcomes through accessible, 
integrated and quality services. These efforts are impeded when health care providers 
have inconsistent rules for protection and sharing of health information, and where 
legislation is lacking altogether. 


v The Primary Care Reform initiative needs these strong rules for full development of its 
electronic health information networks which are vital to ensure that patient information 
is available to their doctors and other health care providers in a timely way. 


¥ The Ministry is, through a number of initiatives, working towards an effective 
infrastructure for electronic exchange of health information to support patient care and 
the effective management of health care resources. Existing laws have too many gaps 
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and inconsistencies to adequately protect and regulate such information exchanges. 


Current efforts by hospitals and others to develop comprehensive systems need a proper 
legislative framework. 


How would the legislated health sector privacy rules relate to the proposed 
Ontario Privacy Act? 


Consultations are underway on developing an Ontario Privacy Act. This new legislation 
would be designed to achieve four important goals: 


Comprehensive and seamless privacy protection 
Flexibility for unique privacy needs and circumstances 
Efficient, fair and effective enforcement. 
Compatibility with other laws 


a a 


Developing separate rules for personal health information is key to meeting the second 
goal. This flexible approach reflects the importance Ontarians place on health care and 
health services. It also recognizes the critical need for information in the health system, the 
unique nature of the health system, and the need for distinct rules for the health system. It 
also reinforces the importance of proceeding with the health sector privacy rules even 
though a new Ontario Privacy Act \s still in the consultation stages. Once the Ontario 
Privacy Act is ready, it is expected that the health sector rules will be incorporated into the 
Act as a separate schedule. A brief description of the proposal for an Ontario Privacy Act 
is attached as Appendix “A” along with contact numbers and addresses for further 
information. 


What is the purpose of this consultation? 


The Ministry is now in the final stages of preparing the proposed health sector privacy 
rules. The purpose of this consultation is to inform people of the progress that has been 
made since release of draft legislation for discussion purposes in 1997, to provide an outline 
of what the proposed health sector rules would include, and to seek people’s advice before 
the legislation is introduced. 


Copies of this consultation paper are being provided to organizations and individuals across 
the province. It is available on the Ministry of Health and Long-Term Care’s website. A 
series of consultation meetings is planned. Written comments can be submitted to the 
Ministry. Check the last section of this paper for the address, fax number and e-mail 
address for submitting your written comments. 
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As aresult of two extensive rounds of consultation since 1996, we have had the benefit of 
considerable comment on most aspects of the proposed legislation. 


As you read through this consultation paper, you will notice only a few specific questions 
set out for your consideration. Consultations to date suggest that it would be helpful to 
have further comments on these particular topics. 


However, your comments on any aspect of the proposed legislation would be most 
welcome and will be carefully considered in drafting the proposed legislation. 
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How has the proposal for legislated health 
sector privacy rules been developed? 


Previous consultations provide a strong foundation 


The Ministry of Health and Long-Term Care has carried out two extensive rounds of 
consultation toward the development of the proposed legislation. Many health care 


providers, patients and health care organizations provided advice and suggestions in 
response to these consultations. 


vIn June 1996, a discussion paper, “A Legal Framework for Health Information,” was 
widely distributed for comment, and regional roundtables were held across the 
province, led by then Parliamentary Assistant to the Minister, Helen Johns. Over 100 
written submissions were received. 


Y In November 1997, a draft Personal Health Information Protection Act was the focus 
for further consultations including regional roundtables, led by then Parliamentary 
Assistant to the Minister, Tim Hudak. More than 5,000 consultation documents were 
distributed to individuals and groups. In addition, copies of the draft Act and a plain 
language overview were made available on the Ministry’s website. Over 200 written 
submissions were received. 


The results of both of these consultations, the valuable input of the Information and Privacy 
Commissioner and her staff, and review of similar legislation across Canada and around the 
world, have provided a firm foundation for developing the proposed legislation for personal 
health information in the health sector. 


What progress has been made? 


As a result of previous consultations, key issues were identified and options were 
considered as part of developing personal health information privacy legislation. Those 
issues have been addressed as part of the further work done to refine and improve the 
proposed rules. In general, though, the overall direction of the proposed legislated rules 1s 
consistent with the approach taken in the 1997 draft Act. 


Proposed changes from the 1997 draft Act include the following: 
¥ The scope of the proposed legislation 
The 1997 draft Act proposed that the legislation would cover a wide range of 


individuals and organizations both inside and outside of the health system. The current 
proposal focuses more narrowly on the health sector. (See list of proposed “health 
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information custodians” beginning at page 11.) Many other organizations and agencies 
would be covered by the proposed Ontario Privacy Act. 


¥ Requirements relating to research 


Beyond patient care, health research is one of the most important activities of the health 
care system. Every Ontarian has an interest in effective health research, as it can help to 
uncover the causes of diseases, and show us ways to prevent, alleviate and cure 
diseases. 


Good research depends on researchers having timely access to complete data. Ontario 
legislation has long recognized the public interest served by research, permitting 
disclosure of health information without consent for research purposes under such 
existing statutes as the Freedom of Information and Protection of Privacy Act, the 
Mental Health Act, the Public Hospitals Act, and the Medicine Act, 1991. 


As such, the 1997 draft Act proposed that use or disclosure of health records for a 
research project be permitted without the consent of individuals if certain conditions 
were met, including: 


- the personal health information is essential for the research; 

- aresearch ethics body has approved the disclosure if such approval is required; and 

- the researcher has entered into an agreement with the custodian that complies with 
the requirements set out in the Act to protect the confidentiality and security of the 
information. 


The proposed legislation would introduce some significant changes to the research rules 
in the 1997 draft Act. These changes would strengthen the privacy protection for 
individuals’ records. Under the new proposal: 


- A research ethics review body would review all research proposals involving the use 
or disclosure of personal health records. 

- The consent of individuals would have to be obtained before their health records 
could be used or disclosed for a research project or program, except where obtaining 
such consent would be impractical or where it would compromise research results. 


The proposed legislation would also clarify that these research rules would apply only 
to personal health information that has previously been collected and recorded for 
another purpose. Rules for research involving human subjects directly (such as clinical 
trials or questionnaires) would be outside the scope of the legislation. Even in those 
cases, however, the rules would apply if existing health records are used or disclosed to 
identify individuals with specific characteristics so as to invite them to become potential 
research subjects. 
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What do you think? 


Would the proposed consent rules for research use and disclosure of health records 
provide the appropriate balance between the privacy interest of individuals and the 

public interest in health research? 

Do you have comments on how best to meet the proposed new consent requirements for | 
research and to apply the limited exceptions? 

How could new or existing structures be used to implement the proposed requirement 

for review by a research ethics review body for the use or disclosure of personal health 
information for a research project or program? 


¥ Requirement to record unanticipated disclosures 


The 1997 draft Act did not place specific requirements on health information custodians 
about recording disclosures of personal health information, leaving the matter to 
administrative practice. This could limit the ability of individuals to find out when their 
personal health information had been disclosed and for what reason. 


In order to provide stronger accountability in information practices, the proposed health 
sector privacy rules would require custodians to document all unanticipated uses and 
disclosures of health information made without the consent of the individual. This 
could include, for example, an investigation by a regulatory body. This requirement is 
not intended to apply to day to day clinical care. 


Individuals would have a right to see this documentation under the same rules as they 
have access to their own health records under the legislated health sector privacy rules. 


These special documentation rules would not apply to uses and disclosures of personal 
health information that can be anticipated. However, health information custodians 
would have a general obligation to be open about their information management 
practices and that would include having written information available to individuals 
about uses and disclosures of personal health information that they anticipate making 
under the legislation. 


What do you think? 


What are your views of the proposed requirements for documentation of certain uses 
and disclosures, and access to the documentation, and how could these best be | 
implemented so as to meet the expectation of accountability in information practices, | 
while being workable for health information custodians? 
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Y Use and disclosure of registration information 


Registration information is information that is collected for the purpose of registering 
the individual for services or benefits provided by the custodian, such as name, home 
address, date of birth, and marital status. 


The 1997 draft Act included several general limiting principles that apply throughout 
the Act. Personal health information could not be collected if other information would 
serve the purpose. If personal health information was needed, no more information than 
was reasonably necessary to meet the purpose could be collected, used or disclosed. 
Guidance on applying the principles could be provided by regulations. 


To provide additional privacy protection when information is used or disclosed for a 
purpose other than the primary purpose for which it was collected, a further limiting 
principle would be included in the rules. 


The proposed new principle would stipulate that, where the purpose could be met by 
registration information alone, other health information (e.g. details regarding health or 
health care) must not be used or disclosed. 


The proposed legislation would apply this principle to health facility fundraising as 


described later in this paper. Regulations would provide guidance on other 
circumstances when this restriction would apply. 


What do you think? 


Would privacy protection for individuals be improved by placing greater restrictions on 
use and disclosure of some types of health information (e.g. details of health and health 


care) than on registration information? 
For what purposes could this approach be appropriate? 
How could this type of approach be implemented without unnecessary complexity? 


V Patients’ right to block disclosure for health care purposes 


Under the 1997 draft Act, individuals would have had a statutory right to block the 
transfer of any part of their personal health information between their other health care 
providers. This concept has become known as a “lock box”’. 


While this approach would have permitted an individual to control disclosure between 
their health care providers, further exploration showed definite problems with the 
concept. There are cases where an individual could decide to block the disclosure of 
information that is vitally important to their health and well-being and to decisions 
about their treatment. The concern is that “locking” information could create a 
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dangerous and in certain circumstances potentially life threatening situation for that 
individual. 


The proposed legislation would not include a lock box. Health care providers would 
have the responsibility to protect individuals’ health information, follow the legislated 
health sector privacy rules, and use their professional judgment in ensuring that 
personal health information is used and shared appropriately. i 


¥ Computer matching 


Computer matching refers to comparisons of two or more computerized sets of data to 
produce a list of people who meet specified criteria in each of the databases. This is 
done by running a program to select the data in question from the several databases and 
create a list of individuals meeting the desired criteria. For example, information 
obtained by computer matching could indicate that an individual may be entitled to 
benefits they have not applied for, or an individual may not be entitled to certain 
benefits they are receiving. The term “computer matching” does not include comparing 
information from several databases about a specific person. 


In the 1997 draft Act, the part titled “Computer Linkage” was criticized as unworkable. 
Some people mistakenly thought that only that part of the draft Act would apply to 
computerized health information. In fact, it was intended that computerized personal 
health information be subject to the entire Act, plus just a few specialized provisions. 
This is also true of the current proposal. 


The former computer linkage provisions were seen as too broad and would be replaced 
in the proposed legislation by narrower provisions dealing with computer matching. 


In the proposed legislation, a custodian that is also an institution under the Freedom of 
Information and Protection of Privacy Act or the Municipal Freedom of Information 
and Protection of Privacy Act would be required to provide an assessment to an 
independent oversight body for review and comment, before carrying out computer 
matching of data where the results of the matching will be used for a purpose that 
directly affects an individual. An assessment would not be required where matches are 
conducted for research, statistical or criminal investigation purposes. 


The assessment would include the types of records involved, compliance with the 
health sector privacy legislation regarding collection, use and disclosure, data secunty, 
retention and disposal of records, steps for notifying individuals affected by actions 
resulting from the match for verification of accuracy, and a business case. 
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What would be included in the proposed 
health information privacy legislation? 


What types of health information would be included? 


The focus of the legislation would be on personal health information. That would include 
information about an individual where the individual could be identified directly or 
indirectly. It would include information related to: 


the individual’s health or well-being 

the provision of health care to the individual 

payments or eligibility for health care in respect of the individual 
blood donations and other such donations by an individual 

the individual’s health number 

registration information. 


po SS 


Some specific types of health information would not be covered by the legislation. That 
would include: 


Y personal health information about an individual who has been dead for more than 30 
years or recorded information that is more than 100 years old 

Y anonymous or statistical information that does not by itself or when combined with 
other information allow individuals to be identified 

Y personal health information related to an individual collected for the purpose of labour 
negotiations or employment of individuals. 


Specific rules would also be put in place for a category of information called “quality of 
care information.” This would refer to information collected or prepared exclusively for a 
certain kind of committee in a hospital or other health care facility or organization 
prescribed by the regulations (e.g. health care provider peer reviews, hospital quality 
assurance, error or risk management programs, ethics review). The health rules would 
protect such information from being used in a proceeding. As well, witnesses in 
proceedings would not be required to testify about or give out such information. This 
approach would reflect the public interest in promoting thorough reviews of patient care. It 
reflects the law in most other jurisdictions in North America. Quality of care information 
would not include records that were not prepared exclusively for this kind of committee. 


Who would the rules apply to? 


The personal health information privacy rules would apply to a wide variety of people and 
organizations in the health sector that have custody or control of personal health 
information. These individuals and organizations would be listed in the legislation and 
would be called “health information custodians.” These would include: 
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¥ Health care practitioners — including: 


- individuals who practise a health profession within the meaning of the Regulated 
Health Professions Act, 199]. This refers to 22 professions and includes, for 
example, physicians, nurses, pharmacists, psychologists and dentists. 

- individuals who practise as drugless practitioners registered under the Drugless 
Practitioners Act. This refers to naturopaths. E 

- social workers who provide health care and are members of the Ontario College of 
Social Workers and Social Service Workers : 

- individuals who treat the physical or mental health or well-being of an individual for 
payment. This would include, for example, acupuncturists and health counsellors 
who are not among the regulated professions above. 


v Service providers who provide services under the Long-Term Care Act 


v Service providers who provide services under the Child and Family Services Act, except 
children’s aid societies 


Vv People who operate the following kinds of facilities, programs or services: 


- A hospital within the meaning of the Public Hospitals Act, a private hospital within 
the meaning of the Private Hospitals Act, a psychiatric facility within the meaning 
of the Mental Health Act, an institution within the meaning of the Mental Hospitals 
Act, or a regional cancer centre 

- An independent health facility within the meaning of the /ndependent Health 
Facilities Act 

- An approved charitable home for the aged within the meaning of the Charitable 
Institutions Act, a home or joint home within the meaning of the Homes for the Aged 
and Rest Homes Act, or a nursing home within the meaning of the Nursing Homes 
Act 

- A home for special care within the meaning of the Homes for Special Care Act 

- A home for retarded persons within the meaning of the Homes for Retarded Persons 
Act 

- A retirement home for elderly people 

- A pharmacy within the meaning of the Drug and Pharmacies Regulation Act 

- A laboratory or specimen collection centre as defined by the Laboratory and 
Specimen Collection Centre Licensing Act 

- An ambulance service within the meaning of the Ambulance Act 

- A community health program or service 

- A program or service funded under the Developmental Services Act 

- A program of employment supports within the meaning of the Ontario Disability 
Support Program Act, 1997. 


Y Anevaluator within the meaning of the Health Care Consent Act, 1996 
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Y An assessor within the meaning of the Substitute Decisions Act, 1992 
¥ The Minister of Health and Long-Term Care 
Vv A district health council established under the Ministry of Health Act 


Y A College within the meaning of the Regulated Health Professions Act, 1991 or the 
Board of Regents continued under the Drugless Practitioners Act 


Y Cancer Care Ontario 


¥ A person who maintains a registry of personal health information that relates to a 
specific disease or condition or that relates to the storage or donation of body parts or 
bodily substances 


vA person or class of persons prescribed in the regulations who maintains a repository of 
personal] health information for the primary purpose of data analysis or research (For 
example, it is proposed to prescribe under this category: the Canadian Institute for 
Health Information (CIHI) and the Institute for Clinical Evaluative Sciences (ICES)) 


Y The Minister of Consumer and Commercial Relations who exercises a power or 
performs a duty as the Registrar General under the Vital Statistics Act. 


v Any other person or class of persons prescribed by the regulations as health information 
custodians if they have custody or control of personal health information as a result of 
or in connection with performing their powers or duties or the work prescribed by the 
regulations. 


The health sector privacy rules would apply to health care practitioners who provide health 
care, even if they were working for an employer that was not a health information 
custodian. For example, if a physician were providing health care as part of his employment 
with a factory or a penal institution, the rules for collection, use and disclosure of personal 
health information in this proposed legislation would apply to that physician. 
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How would the proposed health sector 


privacy rules protect personal health 
information? 


The legislation would protect personal health information by setting out specific limitations 
on the types of information that could be collected, used and disclosed, and by setting clear 
expectations and requirements for how health information is to be treated. 


At the same time, because personal health information is so important to an individual’s 
care, the rules for protecting personal health information would not stand in the way of 
sharing information that is needed to provide health care to an individual. 


When an individual needs health care — whether that means going to emergency, visiting 
their doctor, or getting advice from a specialist — their personal health information must be 
available so that the best treatment decisions can be made. 


Overall, these are the key features of how personal health information would be protected. 


VY With specific exceptions, individuals would need to give their consent before personal 
health information could be disclosed. 


Consent would be a critical component of the proposed personal health information 
privacy legislation. As a general rule, custodians would have to obtain an individual's 
informed consent before disclosing personal health information. The legislation would 
set out specific situations where personal health information could be disclosed without 
an individual’s consent, such as disclosure needed for the provision of health care to the 
individual. (See page 18 regarding consent on behalf of incapable individuals.) 


The exceptions build on provisions that already exist in a patchwork of laws but would 
now form part of a comprehensive system of regulation. 


Y Personal health information would be collected, used or disclosed only if other 
information would not serve the purpose. 


A custodian would not be permitted to collect, use or disclose personal health 
information if information that is not personal health information would serve the 
purpose. For example, information that identifies individuals should not be used for 
planning purposes if aggregate information could be used. 
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Y Only the necessary amount of personal health information could be collected, used or 
disclosed. 


No more personal health information than is reasonably necessary for a specific purpose 
could be collected, used or disclosed under the proposed legislation. This rule is not to 

be construed so as to hamper health care providers in providing or assisting in providing 
health care to individuals. 


¥ Health information custodians would have a responsibility to protect an individual’s 
identity. 


To the extent reasonably possible, health information custodians would be expected to 
take steps to conceal the identity of individuals while still meeting the purpose for 
collecting, using or disclosing the information. 


Y Health information custodians would be responsible and accountable for maintaining 
the confidentiality and security of the information. 


The legislation would set out rules for the collection, use and disclosure of personal 
health information. All custodians would be responsible for implementing policies and 
safeguards to ensure that the standards are met. If health information custodians did not 
follow the rules, individuals would be able to lodge complaints. Custodians could be 
fined for violating the rules. 


Vv Persons employed by or in the service of health information custodians would be 
under restrictions concerning the collection, use and disclosure of personal health 
information as well. 


The rules for collecting, using and disclosing personal health information would apply 
to persons employed by or in the service of a health information custodian when those 
persons exercise powers or perform duties for or on behalf of the custodian. That would 
include an agent, student, volunteer, member of the medical or other staff, and a person 
employed by the custodian. 


Health information custodians could retain information managers, responsible for 
processing, storing or disposing of health information records or providing information 
management or information technology services. These information managers could 
receive personal health information only if there was a specific agreement in place with 
the health information custodian to ensure that personal health information was 
safeguarded appropriately, and to delineate the respective roles and responsibilities of 
the custodian and the information manager. 
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¥ The personal health information privacy legislation for the health sector would have 
an effective oversight regime. 


Oversight of the health sector privacy rules would be the responsibility of a neutral, 
arms-length body. The oversight body would be responsible for reviewing complaints, 
looking into information practices, and ensuring compliance with the legislation. In 
addition, there would be fines for violating the rules. 


VY The health sector privacy rules would help to protect personal health information 
even when it moved outside the control of custodians. 


Custodians sharing information would all operate under the same strong legislated rules. 


Even when information was disclosed to a person who is not a health information 
custodian, the proposed legislation would place restrictions on the recipient. The 
recipient of personal health information from a custodian would only be able to use the 
information for limited purposes: the purpose for which it was disclosed, a purpose to 
which the individual consents, or as this legislation or another law permits. 


Any person who knowingly gained or tried to gain unauthorized access to personal 
health information held by a custodian would be committing an offence under the 
proposed legislation. This would mean that they could be prosecuted under the 
Provincial Offences Act. 


Y The health sector privacy rules would help to protect personal health information 
even when it was used or disclosed outside of Ontario. 


A health information custodian that has collected personal health information in Ontario 
would not be permitted to use or disclose the information outside Ontario unless the 
health sector privacy legislation would allow that use or disclosure within Ontario. A 
custodian would be required to take reasonable precautions to ensure that the 
confidentiality of the information is preserved. 
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What rights would individuals have? 


The proposed personal health information privacy legislation for the health sector would 
provide certain rights to individual Ontarians in relation to their own personal health 
information held by health information custodians. That would include: 


v the right to give or refuse consent before their personal health information is disclosed, 

except in circumstances specified in the legislation (see list of exceptions beginning at 

page 26) 

the right to access their own individual health records with very limited exceptions 

the right to ask for corrections to be made to their personal health records 

the right to challenge a refusal of access to their own health records to an independent 

oversight body 

V the right to take complaints about a custodian’s compliance with the legislation to an 
independent oversight body. 


Sa 


Individual Ontarians could expect to be well informed about how their personal health care 
information is used and disclosed by different health information custodians, and to know 
whom they can contact if they have questions or concerns. Health information custodians 
would be expected to be open with individuals, providing information about the policies 
and standards they follow, answering questions, and informing individuals of expected uses 
or disclosures of their personal health information. 


Individuals could also expect safeguards to continue to be in place to limit collection and 
use of their health number. The health sector rules would specifically set out when a person 
can collect and use health numbers and under what conditions. 


What would the rules be for giving consent? 


When a person is asked to give consent for the collection, use or disclosure of their personal 
health information, their consent would have to: 


be informed 

be voluntary 

relate to the specific information involved, and 

not be obtained through misrepresentation or fraud. 
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What does informed consent mean? It means that the person, at the time of giving the 
consent, has the information a reasonable person would need to make a decision about 
whether to consent to having their personal health information collected, used or disclosed. 
Typically, that information would include: 


Y who is going to collect, use, disclose or receive the information 
¥ why they need it and what it will be used for 
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what kind of information is needed and how much 
what the consequences would be if the person decides to give or not give consent and 


whether the information will be used outside Ontario and, if so, to be informed that the 
privacy rules there may be different from Ontario’s rules 


v 
v 
v 


The individual would have a right to have any questions answered, prior to deciding about 
consent and about any limits to place on the consent. 


A person’s consent could be limited to a certain period of time or to a specific disclosure, 
and the person could also choose to revoke their consent at any time, although the 
revocation would not have a retroactive effect. 


What would happen when an individual is unable to give consent? 


We can all imagine situations where an individual is unable to give consent regarding use 
or disclosure of their personal information, for example, situations involving children or 
incapable adults. 


Generally, an individual is considered to be capable of making their own decisions about 
collection, use or disclosure of their personal health information if they understand what the 
information ts about and are able to appreciate the reasonably foreseeable consequences of 
giving or withholding consent to its collection, use or disclosure. 


If a person is incapable of making a decision about consent, the following people, in order 
of priority, could make a decision on his or her behalf, provided that certain requirements 
are met: 


Y The individual’s guardian of the person or guardian of property appointed under the 
Substitute Decisions Act, 1992 

Y The individual’s attorney for personal care or attorney for property appointed under the 
Substitute Decisions Act, 1992 

Y The individual’s representative appointed by the Consent and Capacity Board 
established under the Health Care Consent Act, 1996 
The individual’s spouse or partner 

Y Achild of the individual; or a parent of the individual, a children’s aid society or 

another person who is lawfully entitled to decide in place of the parent 

A parent with only a right of access to the individual 

A brother or sister 

Any other relative of the individual 

The Public Guardian and Trustee 
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A person who is permitted to make decisions on behalf of another individual would be 
required to consider the wishes, values and beliefs of the individual in making his or her 
decisions. 
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Occasionally, a person who is found incapable with respect to personal health information 
might disagree with the finding that they are incapable to decide about disclosure. In those 
cases, the person would have the right to have the finding reviewed by the Consent and 
Capacity Board. 


People of any age who are mentally capable to do so may give consent for the collection, 
use or disclosure of their health information. However, the proposed legislation would 
recognize that parents often make arrangements for their young children where health 
information may be needed from a health information custodian (for example, for some 
camp programs) and it would be impractical if capacity of those young people had to be 
determined in all such circumstances. The legislation would, in the case of children under 
the age of 16, permit consent to be given by the child, if capable to do so, or a parent, 
children’s aid society (CAS) or other person who is lawfully entitled to decide in place of 
the parent regarding the collection, use or disclosure of the child’s health information. 
However, a parent or other person described above would not be permitted to consent in 
place of a mentally capable young person in cases where the information relates to 
treatment where the child made a decision on his or her own under the Health Care Consent 
Act, 1996 or counselling in which the child participated on his or her own under the Child 
and Family Services Act. 


What rights would individuals have to access and request corrections to 
their personal health records? 


Under the proposed legislation for personal health information in the health sector, 
individual Ontarians would have the right to access their own personal health information 
held by any health information custodian, with very limited exceptions. With the 
legislation in place, individuals would be able to ask to access their health records in their 
doctor’s office, check their medical records at a hospital or see the results of lab tests. This 
extends to all health care settings rules that have existed in psychiatric facilities since 1986. 


The legislation would set out a formal process for individuals or their substitute decision- 
makers to get access to their personal health records. However, other informal ways for 
individuals to obtain access to their own health records could continue. In most cases, the 
expectation is that people could simply ask for access to their health records and that 
request would be granted without a formal written request. 


Individuals would also be able to request copies of all or a part of their personal health 
information. Health information custodians could charge a reasonable fee for providing - 
copies of personal health information. Rules for determining the level of fees and 
conditions for waiving them could be set in regulations. 


The right to have access to one’s own health records would not depend on age or mental 
capacity. However, for children under the age of 16, access to the child’s personal health 
record could also be given to a parent, children’s aid society or other person who is lawfully 
entitled to give or refuse consent to a treatment in place of the parent. Such access would 
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not apply in cases where the information relates to treatment where the child made a 
decision on his or her own under the Health Care Consent Act. 1996 or counselling in 
which the child participated on his or her own under the Child and F. amily Services Act. 


A custodian receiving a request for access to an individual’s personal health records would 


be expected to respond within 30 days, but extensions could be provided under certain 
circumstances. 


A health information custodian could refuse to provide an individual with access to their 
health record only in certain circumstances set out in the legislation. This would include 
cases, for example, where: 


Y providing access could result in harm to the treatment or recovery of the individual or 
physical or mental injury to another individual, or 


Y accessing the record could reasonably be expected to constitute an unjustified invasion 
of another person’s privacy. 


An individual who disagreed with a custodian’s refusal to give access to all or a part of his 
or her health record could complain to an independent oversight body. If the oversight 
body determined that the individual was entitled to access, that body could order the 
custodian to grant access. 


People could request that a custodian amend their personal health record if they think it 
contains an error or omission. The custodian would have a duty to either amend the 
information as requested, or attach a statement of disagreement to the record setting out the 
requested amendment and indicating that the custodian has not made the amendment. 


Where an amendment was made, the custodian would have to notify the persons to whom 
the custodian had disclosed the information during the previous year. This would not be 
required in some circumstances, for example, if the change could not reasonably be 
expected to have an effect on the ongoing provision of health care or other benefits to the 
individual. 
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What responsibilities would health 
information custodians have? 


Health information custodians would be responsible for ensuring that the requirements of 
the personal health information privacy legislation are met. 


To fulfill those responsibilities, health information custodians would be required to: 


Y Take reasonable steps to establish and maintain administrative, technical and 
physical safeguards and practices to: 


- protect the integrity, accuracy and confidentiality of personal health information 

- protect against any reasonably foreseeable threat or hazard to the security or 
integrity of the information 

- protect against the reasonably foreseeable risk of loss of the information or 
unauthorized use, access to, disclosure or changes to the information 

- ensure that their employees or people who provide services to them comply with the 
legislation. 


Y Be open about their information management practices 


- Provide information to patients at key points in the health system regarding the 
sharing of personal health information among different health care providers 
involved in providing care to that patient 

- Make information available in wnting about their information management 
practices including how security is protected, routine uses and disclosures of 
information, who the key contact person is, and processes for obtaining access and 
for making complaints. 

- In addition, depending upon their various questions and concerns, individuals may 
request information about a custodian’s policies and practices regarding collection, 
use and disclosure of personal health information. 


VY Establish written policies regarding the retention and disposal of records of personal 
health information 


The health sector privacy rules would not override or modify requirements concerning 
retention or disposal of records contained in another Act. The health information 
custodian would have to ensure that, when records were disposed of, the privacy of 
individuals was protected. 
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Y Designate a contact person 


Responsibilities of the contact person would include facilitating the custodian’s 
compliance with the legislation, responding to inquiries about the custodian’s 
information practices, and receiving complaints from the public. 
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What rules would be in place for 
collecting, using and disclosing personal 
health information? 


One of the most important features of the proposed personal health information privacy 
legislation would be clear and consistent rules for collecting, using and disclosing personal 
health information. All health information custodians would be required to follow these 
rules. 


The specific rules would link directly to the overriding requirements outlined earlier in this 
paper. That means health information custodians could collect, use and disclose personal 
health information only if other information would not serve the purpose. It also means 
they could collect only as much personal health information as necessary for the specific 
purpose. At all times, they would be expected to take steps to the extent reasonably 
possible to protect the identity of individuals. Informed consent would be required except 
in circumstances specified in the legislation. 


What rules would cover collection of personal health information? 


Y Health information custodians could collect personal health information only if it was 
expressly permitted by a specific law or was necessary for a lawful purpose related to a 
function or activity of the custodian. 


V Health information custodians would have to document why personal health 
information is being collected, except in cases where the information is being collected 
to provide or assist in providing health care. If a custodian collected personal health 
information relating to an individual directly from the individual, the custodian would 
have to take reasonable steps to inform the individual of the purposes for which the 
information is being collected unless it is reasonable to infer those purposes in the 
circumstances. This would have to be done before or while collecting the information 
or as soon as practicable afterwards. 


Vv In most cases, personal health information would have to be collected directly from the 


individual involved. The legislated health sector privacy rules would set out the 
exceptions. 
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What rules would cover use and disclosure of personal health information? 


¥ Personal health information could only be used for certain purposes. 


Health information custodians would be able to use personal health information only in 
the following circumstances: 


- for the purpose for which it was collected or created 

- for a purpose that is directly related to the purpose for which it was collected or 
created 

- if the individual consents to its use 

- 1f the information may be disclosed, or is required to be disclosed, to the custodian 
under the health sector privacy rules 

- for planning or delivering programs or services of the custodian, allocating 
resources to those programs or services, evaluating or monitoring them, or 
detecting, monitoring or preventing fraud related to them 

- for risk or error management related to programs or services of the custodian 

- for educating persons employed by or in the service of the custodian and who 
provide health care 

- for concealing the identity of the individual, separating out identifiers of the 
individual from the information, or deriving anonymous or statistical information 
from the information 

- for aresearch project or program conducted by a researcher who is employed by or 
in the service of the custodian, if the specific requirements of the legislated health 
sector privacy rules are met 

- subject to this legislation, if permitted or required under any other Act of Ontario or 
an Act of Canada or a treaty, agreement or arrangement under any of those Acts. 


Y Health information custodians would have to identify expected uses and disclosures 
of an individual’s personal health information. 


When asked, health information custodians would be required to explain to individuals 
the uses and disclosures they expect to make related to that individual’s personal health 
information. 


Y Before using or disclosing health information, custodians would have to take 
reasonable steps to ensure that the information is accurate, complete and not 
misleading. 
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Y Personal health information could not be used or disclosed for marketing purposes, 
without an individual’s consent. 


Health information custodians would not be able to use or disclose personal health 
information in order to solicit money, to market services or for market research, except 
where an individual consents. 


Y Charitable fundraising activities by health care facilities would be permitted without 
consent if some conditions are met. 


The proposed health sector privacy rules would allow an organization that provides 
health care to use or disclose limited personal health information without consent for 
charitable fundraising related to its operations. The use and disclosure of health 
information for fundraising would be restricted to name and address only. Individuals 
would be notified that they have a right to opt out. Regulations would provide guidance 
to address circumstances of particular sensitivity, such as fundraising from patients who 
had received treatment for substance abuse or other very sensitive circumstances. 


VY The proposed health sector privacy rules would protect an individual’s health number 
and set limits on its collection, use and disclosure, as currently provided for in a 
separate statute. 


The general rules of the legislation would continue to place restrictions on health 
information custodians. People who are not health information custodians would be 
prohibited from collecting, using or disclosing another person’s health number except 
for purposes related to the provision of publicly funded health services to that person or 
in other limited situations. 


What additional rules would cover disclosure of personal health 
information? 


Some of the most sensitive decisions involve disclosing personal health information. It is 
critical that clear rules be in place to guide health information custodians in making these 
decisions and also to reassure the public that their personal health information will be 
carefully safeguarded. 


The provisions of the proposed legislation would build on existing laws and would ensure 
greater consistency. 


¥ The starting point would be that personal health information would be disclosed only 
when individuals had provided their consent. 


As noted earlier, the basic starting point is that individuals would be asked to provide 


their consent before their personal health information could be disclosed. The 
legislation would set out the specific situations in which consent would not be required. 
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¥ Disclosure of information about an individual without his or her consent would be 
permitted in specific situations set out in the legislation. 


Some of these disclosures relate closely to the provision of health care to the individual. 
Disclosure would be permitted in the following circumstances: 


- to certain health information custodians defined in the legislation for the purpose of 
providing, or assisting in providing, health care to the individual 

- for the purpose of determining or verifying the eligibility of the individual under an 
Act of Ontario or Canada to receive health care or other benefits, where the health 
care or benefits are provided or funded by provincial, federal or municipal 
governments 

- for the purpose of obtaining payment for health care provided to the individual 

- for the purpose of contacting a relative or friend of the individual, if the individual is 
injured, incapacitated or ill 


Hospitals or other health facilities would continue to be able to disclose limited 
information about patients when someone inquires about them. This would include 
confirmation that the individual is a patient or resident of the facility, whether the 
individual’s health status is critical, poor, fair, stable or satisfactory, and information 
about the location of the individual in the facility (for example, confirming that the 
person is in surgery, intensive care, or emergency.) Individuals would be able to 
expressly request that no information is to be disclosed and the hospital or other facility 
would be required to abide by those requests. 


Health information custodians would be able to disclose certain information about 
people who have died. This would include information that would help to identify the 
individual, inform certain people about the circumstances of the individual’s death, 
allow a spouse, partner or relative to make decisions about their own care or the care of 
their children, or to inform estate trustees of a person’s death. 


The legislation would set out certain circumstances in which disclosing personal health 
information is important to help improve health, the delivery of health services, or to 
protect the health of people in a community. Specific examples would include 
disclosures: 


- to the Chief Medical Officer of Health or a medical officer of health within the 
meaning of the Health Protection and Promotion Act or a similar public health 
authority established under the laws of Canada, a province other than Ontario or a 
territory, if the disclosure is made for the purpose of public health protection and 
promotion 

- to Cancer Care Ontario(CCO) 

CCO is the province-wide cancer agency mandated by the Government of Ontario 
to provide strategic direction and leadership for all components of Ontario’s cancer 
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control system and to provide certain cancer control services through the operation 
of Regional Cancer Centres and other provincial cancer programs, as appropriate. 
Cancer control services mean services relating to prevention, screening, diagnosis, 
surveillance, evaluation, treatment and supportive care, including palliation, 
research, education and training. 

- for an audit or accreditation relating to the custodian’s services provided that 
personal health records are not removed from the custodian’s premises 

- to aperson for the purpose of the management of the custodian’s programs or 
services, including the delivery of services, the evaluation and monitoring of any of 
the programs or services, the allocation of resources, future planning and the 
detection, monitoring and prevention of fraud (Custodians would be required to 
ensure that safeguards were in place to protect the information). 


The health sector privacy rules would permit disclosure without consent for certain 
health screening programs, such as the cervical cancer registry initiative. Approved 
health screening programs would be designated by regulation, and subject to conditions 
set out in the regulations. An individual would be included in such a program if 
disclosure for this purpose was not contrary to the express request of the individual. An 
individual would have to be given notice of the right to opt out. 


Disclosure without consent would also be permitted in certain situations related to risks 
and to custody of the individual. These would include: 


- for the purpose of eliminating or reducing a risk to an individual’s safety if the 
custodian believes on reasonable grounds that the risk is significant 

- to the head of a penal or other custodial institution in which the individual is being 
lawfully detained or the officer in charge of a psychiatric facility in which the 
individual is being lawfully detained, to assist the institution or facility in managing 
the individual’s physical or mental health or making a decision concerning the 
placement of the individual into custody, detention or release. 


Disclosure of personal health information would be permitted for specific purposes 
related to these health sector privacy rules or other legislation, including the following: 


- for determining capacity under the Health Care Consent Act, 1996, the Substitute 
Decisions Act, 1992 or under the proposed legislation 

- to regulatory bodies of health professionals, drugless practitioners and social 
workers for administering and enforcing their respective Acts 

- to the Public Guardian and Trustee or a children’s aid society to carry out their 
statutory functions 

- in the case of institutions under the provincial or municipal Freedom of Information 
and Protection of Privacy Acts for certain purposes in those Acts not otherwise 
covered by the proposed legislation 


- to aperson for an inspection, investigation or similar procedure that is authorized 
under an Act or by a warrant 
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- to bring a suspected offence or violation to the attention of the relevant authority to 
decide whether to carry out an inspection, investigation or similar procedure that is 
authorized under an Act or by a warrant 

- subject to this legislation, if permitted or required under an Act of Ontario or 
Canada or a treaty agreement or arrangement under any of those Acts. (Examples 
include reporting of child abuse under the Child and Family Services Act or 
disclosures authorized under the Workplace Safety and Insurance Act, 1997.) 


Health information custodians would be permitted to disclose personal health 
information when transferring records to a custodian’s successor (for example, when a 
physician takes over the practice of a retiring physician), or when transferring records to 
archives for conservation. 


Y Rules would be set for disclosure of personal health information to or by the Minister 
of Health and Long-Term Care. 


As a custodian, the Minister of Health and Long-Term Care would be subject to the 

same rules as other custodians under the legislation. However, the Minister has some 

unique responsibilities with respect to the health system, and the proposed legislation 

would permit health information custodians to disclose personal health information to 

the Minister for those purposes. These would include: 

- managing the health system, planning for the system’s future needs, evaluating its 
effectiveness, detecting and preventing fraud 

- verifying information held by the Ministry, or another person if it is for a health- 
related purpose or a purpose related to benefits administered by a health information 
custodian 

- administering or enforcing Ministry of Health and Long-Term Care legislation. 


In some circumstances, the Minister could require certain custodians to disclose 
personal health information for these purposes. The proposed legislation would limit 
who could receive the information on behalf of the Minister. If the program or service 
was health-related but not funded in whole or in part by the Ministry, the oversight body 
would have to approve such a requirement to disclose. Both the Minister and the 
oversight body would have to consider the public interest served and the privacy 
interest of individuals before such disclosure could be required. 


The Minister could direct that information be disclosed to another organization 
designated in the regulations for the above-stated purpose. This organization would 
have to enter into an agreement with the Minister, with terms to include that the 
information may be used or disclosed only for the purposes set out in the agreement, 
and that the organization must comply with safeguards respecting the confidentiality 
and security of the information. 


Currently, such authority to direct disclosure exists under the Public Hospitals Act. For 
many years, the Canadian Institute for Health Information (CIH1) has obtained 
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identifiable patient data from hospitals in order to produce statistics. These data have 

been used, for example, 

- by the Institute for Clinical Evaluative Sciences (ICES) for projects such as the 
Practice Atlas 

- for many health research projects such as a 1999 study revealing that a beneficial 
heart drug was underutilized in older patients 

- for CIHI’s detailed reports on the health of Canadians published in Macleans 
magazine in 1998 and 1999. 

Without the CIHI hospital data, issuing “report cards” on hospitals would not be 

possible. 


To obtain a comprehensive view of the health system, comparable patient data are also 
needed from other parts of the health system besides hospitals. This would enable the 
Ministry to analyse patterns of service to determine, for example, what kinds of 
aftercare are most effective after surgery or what kinds of community programs help to 
avoid hospitalization. 


People sometimes ask why identifiable personal health information is needed for 
planning and management of the health system. Planners often need to work with 
personal health information in identifiable form so that they can track how the health 
system is being used, identify potential problem areas, and assess the impact of new 
programs and services. When health system planners are unable to access and link 
information from diverse sources, their ability to address health system problems is 
severely limited. Once the data have been linked, the identifiers can be removed or 
encrypted. 


Y Rules would be set for the disclosure of information for use in proceedings. 


Personal health information could be disclosed under certain circumstances in a 
proceeding. However, health care practitioners and facilities or organizations that 
provide health care could not disclose personal health information about their patients 
or clients in proceedings unless they had consent or the court or other body holding the 
proceeding determined that the disclosure is essential in the interests of justice. This 
would apply to the written record and to information about the patient that could be 


obtained through oral disclosures. This has been the law in Ontario under the Mental 
Health Act since 1978. 


Where a statement is provided by a physician, psychologist or other appropriate health 
care provider that disclosure of a record of personal health information would likely 
result in harm to the treatment of the individual, injury to the mental condition of, or 
bodily harm to, another individual, the custodian would not be permitted to disclose the 
record unless ordered to do so by the court or other body holding the proceeding. This 
order could not be made until a hearing that excludes the public has been held to 
determine whether or not the information should be disclosed. This would not apply in 
certain proceedings, for example, a proceeding in which the individual relies on his or 
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her physical or mental health as an element of the claim or response in the proceeding. 
It would also not apply to a proceeding where the competency, conduct, actions, 
licensing or registration of a person is in issue. 
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How would the health sector privacy rules 
be administered and enforced? 


The health sector privacy rules would include a number of measures for administration and 
enforcement. Oversight of the legislation would be assigned to a neutral body and the roles 
and responsibilities of that oversight body would be set out in the legislation. Offences and 
penalties for breaching the requirements of the legislation would also be set, and the 
legislation would identify areas where regulations could be developed. 


Ontario’s goal is to have a single body responsible for compliance with all provincial 
privacy legislation. This paper focuses on proposed enforcement provisions for privacy 
rules that apply to personal health information in the health sector. 


The existing public sector legislation, including the Freedom of Information and Protection 
of Privacy Act and the Municipal Freedom of Information and Protection of Privacy Act, 
establishes the Ontario Information and Privacy Commissioner as its independent oversight 
body. This paper is not seeking comments on that legislation or its oversight mechanism. 


The Commissioner’s views are being sought on the proposals in this paper and, in 
particular, on appropriate enforcement powers. 


What role would an oversight body play? 


An independent oversight body would have a significant role in enforcing the health sector 
privacy rules. The oversight body would have various powers, including the power to 
investigate complaints, enter premises and examine relevant records, and issue orders. 


What would happen if a person had a complaint? 


v The oversight body could receive complaints about a custodian’s information practices, 
any alleged contravention of the legislation, or a refusal to attach a statement of 
disagreement. Individuals would also be able to complain to the oversight body if they 
had been denied access to their own personal health records. 


The oversight body could require a complainant to attempt to resolve the complaint 
directly with the custodian, investigate complaints, or authorize a mediator to 
investigate complaints and try to reach a settlement. 


The oversight body could conduct a review of the information practices of a health 
information custodian if that body believed on reasonable grounds that the custodian 
was not complying with the legislation. 
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v The oversight body could make orders to require compliance with the legislation. 


Failure to comply with an order of the oversight body would be an offence under the 
rules. 


What do you think? 


Given Ontario’s goal to have a single body responsible for all provincial privacy legislation, 
do you have suggestions on how best to implement this approach for enforcement of the 
health sector privacy rules? 


What would be an offence under the health sector privacy rules? 


It would be an offence for a person to: 


Y knowingly collect, use or disclose personal health information in contravention of the 
legislation 

vY knowingly obtain or attempt to obtain personal health information to which they are not 
entitled 

Y knowingly dispose of a health record to avoid having to provide access to the record 

Y_ obstruct the oversight body or one of his or her delegates 

Y knowingly make a false statement to the oversight body, or knowingly mislead or 
attempt to mislead the oversight body 

Y fail to comply with an order made by the oversight body 


If a person were found guilty of any of these offences, they could be liable to a fine of up to 
$50,000. An organization or institution could be liable to a fine of up to $500,000. 


Would people be protected from liability in certain situations? 


Yes. The proposed legislation would provide protection from liability to health information 
custodians and persons employed by or in the service of a custodian who act in good faith 
and reasonably in the circumstances. This would include people who, in accordance with 
the legislation, collect, use, disclose, retain or destroy personal health information -- or do 
not do so, as the case may be. 


People who give or refuse consent to a collection, use or disclosure of personal health 
information on behalf of or in place of the individual to whom the information relates 
would not be liable for damages for giving or refusing consent if they acted reasonably in 
the circumstances, and in good faith. 
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What areas could be addressed by regulations? 


The legislation would provide for regulations to be developed in a number of areas 
including: 


Y specifying administrative, technical and physical safeguards for managing personal 
health information 

Y specifying standards, or a process for setting standards, for electronic transfer of records 
of personal health information, including standards for transactions, data elements for 
transactions, code sets for data elements and procedures for the transmission and 
authentication of electronic signatures 

Y specifying the circumstances in which a health information custodian is required to 
comply with these standards 

Y establishing or designating a body or bodies that may set or adopt such standards or 

prescribed safeguards, or specifying a process for setting those standards or those 

safeguards 

prescribing the requirements for computer matching 

designating research ethics review bodies 

prescribing any additional duties of health information custodians with respect to 

personal health information. 
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When would the personal health information privacy legislation be 
reviewed? 


A committee of the Legislative Assembly would review the legislation no later than three 
years after it comes into force and could make recommendations for appropriate changes. 


What other Acts would be amended as a result of the proposed 
personal health information privacy legislation? 


Some Acts would require amendment, as their provisions would be incorporated into the 
proposed legislation or would no longer be needed as a result of this legislation. For 
example, the provisions of the Mental Health Act that deal with clinical records and of the 
Long-Term Care Act that deal with personal records would be repealed, as well as relevant 
regulations such as those under the Public Hospitals Act. 


The Health Cards and Numbers Control Act, 1991 would be repealed as its provisions 
would be incorporated into this legislation. The health sector privacy rules would permit 
custodians to collect, use and disclose the health number under the rules of the legislation 
but would forbid or restrict its collection, use of disclosure by others. 
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What do you think? 


This paper describes the key features of the proposed personal health information privacy 
legislation for the health sector. Before work on the proposed legislated rules is complete, 
we want your advice and suggestions. 


A number of specific questions have been identified, particularly in relation to areas where 
there have been significant changes since the 1997 draft Act. We would appreciate your 
feedback on those questions as well as on the overall direction and intent of the proposed 
legislation. 


Do the various provisions of the proposed legislation for personal health information in the 
health sector seem appropriate, reasonable and workable? 


Do you have any additional comments? 


Please submit your comments by October 9, 2000 to: 


Health Privacy Consultation 

Ministry of Health and Long-Term Care 

8"" Floor, Hepburn Block, 80 Grosvenor Street 
Queen’s Park, Toronto, Ontario, M7A 1R3 


Fax: (416) 314-5517 

E-mail: healthprivacy@moh.gov.on.ca 

If you have any questions about the consultation paper, please contact the Ministry of 
Health and Long-Term Care Infoline at (416) 327-4327, TTY 1-800-387-5559 or toll free 
1-800-268-1153. 


Additional copies of the consultation paper are available on-line at: 
http://moh.gov.on.ca/health 
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Appendix “A 


Protection of Personal Information — Proposal for 
an Ontario Privacy Act 


The Ministry of Consumer and Commercial Relations is consulting on a proposal to 
develop an Ontario Privacy Act that would, if passed, increase an individual’s ability to 
control whether and how information about them is collected, used and disclosed. Clear 
privacy rules would also provide for the appropriate use and exchange of personal 
information by businesses and organizations. 


The proposed Act would provide comprehensive protection, applying to all organizations 
and activities, except federally regulated activities (such as banking) and provincial and 
municipal government organizations covered by the provincial Freedom of Information and 
Privacy Protection Act and Municipal Freedom of Information and Privacy Protection Act. 
Appropriate exemptions would protect the public interest in areas such as the conduct of 
law enforcement. The proposed Act would not apply to personal, family and household 
uses of personal information. 


The proposed Act would create privacy rules consistent with those found in the federal 
Personal Information Protection and Electronic Documents Act (passed in April 2000) and 
the Canadian Standards Association Model Code for the Protection of Personal Information 
(which is included as a schedule in the federal Act). 


Ontario is also proposing to permit the use of sector codes where necessary for the unique 
needs of a sector or type of personal information. These rules would tailor the proposed 
Act’s requirements to a specific industry, type of information or way of using information. 
As noted in the consultation paper, the proposed Act would include legislated rules setting 
out privacy requirements for health information in the health sector. 


Proposals and questions on how best to implement such a direction are contained in the 
consultation document Consultation Proposal for an Ontario Privacy Act. Comments and 
input are welcomed. The deadline for comments is September 15, 2000. 

For further information on the proposal for an Ontario Privacy Act, please contact the 
Ministry of Consumer and Commercial Relations by telephone at (416) 326-8555, or by e- 
mail at privacy@ccr.gov.on.ca. 


A copy of the Consultation Paper is available on-line at www.ccr.gov.on.ca. 
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